prosze o sprawdzenie loga

**Posty:** 175 · przez **McLeo** 13 Wrz 2007, 14:04

Witam mam problem a mianowicie niedawno zrobiłem re-instal windowsa. na początku wszystko chodziło bez zarzutu : ok 30 min). potem nagle zaczęło mi sie wszystko zacinać i komp zawieszać i zostało otwarte wiele procesów ktore niewiem do czego służa. wiekszosc z nich po zamknieciu otwiera sie zaraz znowu. intrnet (neostrada) chodzi tylko jezeli wiekszosc procesow zamkne chociaz niby na komputerze widac ze ciagle powinien chodzic. przeskanowałem kompa nodem i ad-dawerem i nic nie wykazal. przesylam logi i prosze o sprawdzenie:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:49:40, on 2007-09-13
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllcache\services.exe
C:\WINDOWS\System32\kxmixer.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system\NOTEPAD.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\nod32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.downloadaccelerator.com/FinishInstall.asp?V=7.4.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [Windows System Update Tools] upds.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [Windows System Update Tools] upds.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AFAFFC7-3DFC-40B8-9983-E9CF288A96C9}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Mims service (Mimserv) - Unknown owner - C:\WINDOWS\system32\dllcache\services.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NOTEPAD - Unknown owner - C:\WINDOWS\system\NOTEPAD.exe

--
End of file - 3758 bytes

prosze o pomoc

**Posty:** 3854 · przez **Dzi@dek** 13 Wrz 2007, 17:48

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje
Potem wejdz do folderu SDFix wrzuc zawartość pliku Report.txt

daj loga z combofixa oraz z hijacka.

Autor postu otrzymał pochwałę

**Posty:** 175 · przez **McLeo** 13 Wrz 2007, 18:21

raport z SDFix

SDFix: Version 1.104

Run by Norbert on 2007-09-13 at 18:06

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Mimserv

ImagePath:
"C:\WINDOWS\system32\dllcache\services.exe"

Mimserv - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\IT.EXE - Deleted
C:\WINDOWS\SYSTEM32\DLLCACHE\SERVICES.EXE - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\TFTP2692 - Deleted
C:\WINDOWS\system32\TFTP3764 - Deleted
C:\WINDOWS\system32\upds.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\upds.exe"="C:\\WINDOWS\\System32\\upds.exe:*:Enabled:Windows System Update Tools"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Finished!

logi hijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:16, on 2007-09-13
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\kxmixer.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AFAFFC7-3DFC-40B8-9983-E9CF288A96C9}: NameServer = 194.204.159.1 217.98.63.164
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 2921 bytes

logi ComboFix:

ComboFix 07-09-13.3 - "Norbert" 2007-09-13 18:13:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1250.48.1045.18.238 [GMT 2:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\efcywuu.dll
C:\WINDOWS\system32\oqtss.bak1
C:\WINDOWS\system32\oqtss.bak2
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\rqrspqp.dll
C:\WINDOWS\system32\sstqo.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-13 to 2007-09-13 )))))))))))))))))))))))))))))))
.

2007-09-13 18:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-13 18:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-13 17:10 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-09-13 15:24 <DIR> d-------- C:\Program Files\RegCleaner
2007-09-13 14:28 1,156 --a------ C:\WINDOWS\mozver.dat
2007-09-13 13:46 57,088 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2007-09-13 13:46 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-09-13 13:46 3,712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys
2007-09-13 13:46 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2007-09-13 13:46 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-09-13 13:46 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-09-13 13:45 70,144 --a------ C:\WINDOWS\system32\usbui.dll
2007-09-13 13:44 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Ustawienia lokalne
2007-09-13 13:44 <DIR> dr-h----- C:\DOCUME~1\DEFAUL~1\Dane aplikacji
2007-09-13 13:44 <DIR> dr-h----- C:\DOCUME~1\ALLUSE~1\Dane aplikacji
2007-09-13 13:44 <DIR> dr------- C:\DOCUME~1\DEFAUL~1\Menu Start
2007-09-13 13:44 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Menu Start
2007-09-13 13:44 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\Dokumenty
2007-09-13 13:44 <DIR> d--h----- C:\DOCUME~1\DEFAUL~1\Szablony
2007-09-13 13:44 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\Szablony
2007-09-13 13:44 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Ulubione
2007-09-13 13:44 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Pulpit
2007-09-13 13:44 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Moje dokumenty
2007-09-13 13:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Ulubione
2007-09-13 13:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Pulpit
2007-09-13 13:35 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-09-13 13:35 <DIR> d-------- C:\Program Files\DAP
2007-09-13 13:34 <DIR> d-------- C:\Program Files\Gadu-Gadu
2007-09-13 13:34 <DIR> d-------- C:\DOCUME~1\Norbert\Gadu-Gadu
2007-09-13 13:27 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-09-13 13:27 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-09-13 13:27 13,824 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-13 13:27 13,824 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-13 13:27 <DIR> d-------- C:\Program Files\Lexmark 3100 Series
2007-09-13 13:25 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-09-13 13:25 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-09-13 13:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-13 13:21 <DIR> d-------- C:\DOCUME~1\Norbert\WINDOWS
2007-09-13 13:17 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-13 13:13 307,200 --a------ C:\WINDOWS\IsUn0415.exe
2007-09-13 13:13 19,072 --a------ C:\WINDOWS\system32\drivers\usbehci.sys
2007-09-13 13:13 <DIR> d-------- C:\Program Files\VIA Technologies, Inc
2007-09-13 13:12 <DIR> d-------- C:\Program Files\SAGEM
2007-09-13 13:10 <DIR> d-------- C:\Program Files\AutoConnect
2007-09-13 13:07 <DIR> d-------- C:\Program Files\kX Project
2007-09-13 13:06 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2007-09-13 13:05 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v2.6.87 Uninstall.exe
2007-09-13 13:05 <DIR> d-------- C:\Program Files\Radeon Omega Drivers
2007-09-13 13:05 <DIR> d-------- C:\Program Files\MultiRes
2007-09-13 13:04 <DIR> d-------- C:\Program Files\Intel
2007-09-13 13:03 62,848 --a--c--- C:\WINDOWS\system32\dllcache\pci.sys
2007-09-13 13:03 62,848 --a------ C:\WINDOWS\system32\drivers\pci.sys
2007-09-13 13:03 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2007-09-13 13:03 25,472 --a--c--- C:\WINDOWS\system32\dllcache\agp440.sys
2007-09-13 13:03 25,472 --a------ C:\WINDOWS\system32\drivers\AGP440.SYS
2007-09-13 13:03 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-09-13 13:03 <DIR> d-------- C:\Program Files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-13 13:12 23 --a------ C:\WINDOWS\system32\drivers\adidsl.cfg
2007-09-13 12:53 --------- d-------- C:\Program Files\microsoft frontpage
--------- C:\Program Files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd167ff4-b9b8-4981-b022-9015cc425fbe}]
C:\WINDOWS\system32\125tup.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2005-11-23 02:05 C:\WINDOWS\system32\atiptaxx.exe]
"kX Mixer"="C:\WINDOWS\System32\kxmixer.exe" [2005-07-14 15:17]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-13 13:46]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [2004-08-28 20:27]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]

C:\DOCUME~1\ALLUSE~1\MENUST~1\Programy\AUTOST~1\
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-09-13 13:12:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\125tup]
125tup.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\System32\\sstqo

R3 kxwdmdrv;kX WDM Driver Service;C:\WINDOWS\System32\drivers\kx.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-13 18:16:35
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-13 18:17:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-13 18:17
.
--- E O F ---

**Posty:** 3854 · przez **Dzi@dek** 13 Wrz 2007, 18:25

Powinno być OK.

Autor postu otrzymał pochwałę

**Posty:** 175 · przez **McLeo** 13 Wrz 2007, 18:26

narazie jest dobrze wielkie THX:D

prosze o sprawdzenie loga

prosze o sprawdzenie loga

Kto jest na forum